Yep, it's pointing to the VRRP mac. I actually got it to start working
finally. I had 3 VLANs on a single switch, 1 for the external VRRP
connections, 1 for the internal VRRP connections, and 1 for the DMZ VRRP
connections. I took the external connections out and put them on a separate,
small switch and it began to work. The VLAN is configured properly so I
don't know why it was forcing the returning traffic onto the second firewall
but it was. Thanks for the suggestion.
Eric
-----Original Message-----
From: Scott Friedman [mailto:sfriedman AT ADVNETWORKS DOT COM]
Sent: Thursday, August 28, 2003 2:01 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] possible VRRP issue and TCP out of sync errors
Check the arp cache on the DMZ server.. Make sure the IP that it's
Sending it's traffic to is using the VRRP mac and not the real one...
Scott Friedman
Security Engineer - NG CCSE
sfriedman AT advnetworks DOT com
Advanced Network Solutions
1750 S. Telegraph Rd Suite 100
Bloomfield Hills, MI 48302
(248) 857-5526 x132
www.advnetworks.com
-----Original Message-----
From: Lewis, Eric [mailto:Eric.Lewis AT MAIL.VA DOT GOV]
Sent: Thursday, August 28, 2003 12:54 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] possible VRRP issue and TCP out of sync errors
I have two IP330's(FP4 w/AI) that have a single DMZ hanging off of them with
all interfaces VRRP'ed. I have a single server on the DMZ that keeps getting
out of sync errors due to outbound traffic being sent to one firewall while
inbound comes from the other firewall. This should not be occurring since
they are VRRP'ed. Everything else on the other internal interface passes
traffic back and forth just fine. If I fault everything over to the second
firewall it works fine. If I fault everything over to the first firewall the
server in the DMZ still won't send traffic out the firewall interface. It is
like the traffic from the DMZ will only go one way out although it's default
route is the VRRP address. Any insights?
Eric S. Lewis, CCNA, MCSE, NSA IAM, CCSA, CISSP, CEH
Network Security Officer
512.619.7902
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
